Google has announced plans to dedicate $1,000,000 to fund grants for independent security research in 2016.
In a post on the Google Drive Blog, Kevin Nelson, Product Manager for Google Drive, noted that independent security researchers have already contributed significantly Google’s data security. The newly announced funding should determine even more researchers to put effort into keep Google Drive safe.
The Internet giant is offering grants for security research on newly launched features and products, on an existing Google product considered particularly sensitive, and on recently fixed vulnerabilities in a product or Google wide. Security researchers interested in applying for a grant can find additional information on the process on Google’s dedicated webpage.
The company launched the Vulnerability Research Grants program in January of this year, which is intended to reward the time and effort security researchers spend testing Google products even when they do not end up discovering new vulnerabilities. Those who do find security holes in the company’s products are rewarded as well.
Google is already offering rewards of up to $20,000 to anyone who finds and reports a qualifying issue in its products, including Google.com, YouTube, and Blogger, and it plans on doing so the next year as well. However, only a few vulnerabilities qualify for the highest rewards, namely remote code execution bugs such as command injection, deserialization bugs, sandbox escapes.
According to Google’s reward program page, it is willing to pay up to $20,000 for issues discovered in applications that permit taking over a Google account, in highly sensitive applications, and in normal Google applications. The company also notes that vulnerabilities that allow unrestricted file system or database access and logic flaw bugs leaking or bypassing significant security controls are awarded with up to $10,000 in cash.
Last week, Google announced a series of changes in its indexing system, which will result in HTTPS pages being crawled in favor of their HTTP equivalents. The move is meant to further promote the use of the HTTPS protocol, which should provide users with increased security when browsing the Internet.